Modern security threats are capable of executing complex attacks very rapidly through automated means. These attacks can take place at any time, unsympathetic to business hours or personnel schedules. To detect these attacks, analysts take time to receive alerts, manually correlate them to identify credible threats, determine a course of action and then implement incident handling processes systems/services. This results in delays for security analysts who are often reacting to a compromise rather than reacting to an event or preventing a successful attack.
A common solution to this issue is to place a device inline to the communication, actively inspecting all traffic that passes through it and passing judgement on whether to block it or not. However, active techniques introduces performance reduction in the form of latency, which is unacceptable in an extreme latency sensitive environment such as streaming or financial trading networks. Also, such active solutions are typically blind to contextual information streaming in from other systems in other parts of the network; it is only able to pass judgement on each packet (or sequence of packets) in a vacuum. Moreover, many existing tools that profess to provide this level of analysis are expensive, and often require the company to lock themselves into using only a specific set of tools in order to achieve any significant level of correlation and interoperability.